Microsoft to Congress: Time To Seed Cloud Computing

A senior Microsoft official said this week that the government must revise out-of-date statutes and lay new legislative groundwork to keep pace with technology as more computing work is processed globally over the Internet.

Brad Smith, Microsoft's senior vice president and general counsel, spoke on Wednesday at a policy forum in Washington, D.C.'s Brookings Institution. He said that without a greater national effort to clarify various law enforcement, liability and privacy rules, the transformative potential of cloud-based computing could be undermined.

The differences between how the United States and Europe handle personally identifiable information, Smith said, is just one example of the kind of challenges that cloud computing users and providers are likely to face as data moves increasingly in and out of third-party computing centers across the globe.

"The computing experience is undergoing a powerful transformation," Smith said. "For information technology, the cloud represents a major extension of computing models. Cloud computing, properly implemented, provides users with greater flexibility, portability and choice in their computing options" and "offers new benefits for almost every part of society."

However, cloud computing also presents a host of new questions and concerns that Smith argued require the government's attention.

Smith called for Congress to consider a "Cloud Computing Advancement Act that will promote innovation, protect consumers and provide the executive branch with the new tools needed for a new technology era." He also recommended updating the Electronic Communications Privacy Act and the Computer Fraud and Abuse Act (CFAA). In particular, updating the CFAA would help law enforcement officials address security in the cloud and "strengthen the legal ability of cloud service providers to pursue their own civil claims against security violators."

He also advocated the establishment of "truth in cloud computing" principles "so consumers and businesses have full knowledge of how their information will be accessed and used by service providers and how it will be stored online." Smith asked for the government's help in aligning international rules for the use of data.

"We need Congress and the administration to address three issues in particular: privacy, security and international sovereignty," Smith said.

"The protection of privacy has long been a fundamental American right," he said, noting that the privacy protection afforded to U.S. consumers was "a hallmark of the personal computer revolution" in the 1980s.

"In contrast, one obvious attribute of the cloud is that information typically is stored on a server computer that is controlled by a third party. This makes it all the more important for service providers to be thoughtful and clear in deciding and communicating what they will do with this information," he said.

"Equally important, we need government action to ensure that as information moves from the desktop to the cloud, we retain the traditional balance of individual privacy vis-à-vis the state," he said. "The courts have cast doubt on whether the Fourth Amendment to the Constitution, which provides this protection, applies to information that is transferred to a third party for storage or use," he said.

Changes in communication technology have led to this type of situation before, Smith said. He cited Congress' move in the 1980s to adopt the Electronic Communications Privacy Act (ECPA) to address legal gaps that otherwise failed to protect the privacy of electronic and stored communications, and which clarified when and how law enforcement agents can access such data. But ECPA was enacted before the popularization of the Internet and has become increasingly antiquated as a result, Smith argued.

Michael Nelson, visiting professor at Georgetown University and former special assistant for information technology at the White House Office of Science and Technology Policy during the Clinton administration, agreed with Smith.

"We definitely need to update and clarify some of the existing laws on law enforcement's access to information, whether it is e-mail or information stored in the cloud," Nelson said. The question that needs to be addressed, he said, is, "How does the Fourth Amendment apply when the data that once was on your desktop are now in the cloud?"

Smith also emphasized that "as we develop new cloud services, we need to continue to...implement new security standards, such as those from the International Standards Organization and under the Federal Information Security Management Act."

"Government enforcement will play a critical role in stopping and deterring attacks on the cloud, but only if Congress adapts the law to new security challenges," he said.

At the same time, one of the emerging concerns raised at forum, Nelson said, is what kind of liability protections cloud computing providers can expect in the future.

"It was the consensus [of industry and legal experts attending the forum] that we can't hold a cloud provider liable [for] everything that happens with a user's data," Nelson said. "But they should be held liable if they don't live up to their commitments."

Smith cited recent cases in Belgium, Brazil and Italy where each country "sought to impose their laws on U.S. service providers even for data stored in the United States. These types of cases increasingly have raised the prospect of civil and even criminal penalties for service providers. "This is creating creating a catch-22 situation for the cloud," Smith said, "where a decision to comply with a lawful demand for user data in one jurisdiction may place a provider at risk of violating laws elsewhere."